Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 03:05

General

  • Target

    f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    f95d0beafe5a035fb1cd6073ae4a76ae

  • SHA1

    5969347c5b1f4156091b54edc834c997054cef82

  • SHA256

    c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8

  • SHA512

    3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

  • SSDEEP

    6144:Hk4qmM6KhriUJ5qPFYLSuq0MFGsPIkEkaeXt8rCVgPm:E9XrrEYLlJUIk3X6+S

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Powers

C2

hackersgratis.no-ip.biz:1338

hackersgratis.no-ip.biz:81

hackersgratis.no-ip.biz:1533

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    services.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    59255433

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:676
        • C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"
          3⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
          • C:\Windows\SysWOW64\Win32\services.exe
            "C:\Windows\system32\Win32\services.exe"
            4⤵
            • Executes dropped EXE
            PID:2880

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      57baee9c40963a02b29033e265168212

      SHA1

      f47e2dcd9e95b1186b2db2bab3ce79770a21db0b

      SHA256

      3be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f

      SHA512

      77125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      796f6a1afad8feba1e545bd24e325b82

      SHA1

      37c31b65370888f4b5f2caf0a0d9d1cada7d00cc

      SHA256

      39e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08

      SHA512

      fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      cd02f9659124f68eaef4c74513e25474

      SHA1

      b3fc803c8817fcca0afc193869cd1a03a0e81e2d

      SHA256

      9bad9ee5a0a9f917c4fcc77e1b2353ebd0961674f767fa6f36d7e24fde773527

      SHA512

      6688b878ac6faed646405cc77045110a4574b00230f9376f2aafaa155f724dd9f28c82e2828967a17f6b132839ca5698d3ba1b926920044e2217325bef2f35fe

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      cf531f5aef0e28a380e618468f0ef544

      SHA1

      cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a

      SHA256

      83aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a

      SHA512

      847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      42be5d21734928f287c111cee6b5306e

      SHA1

      df968c49a2e7bf4020f84edea7b86b00e8ec8faa

      SHA256

      cb9345575c760218165f8f2ea6a38428627a630cadcd3f8f5bb14a4a0e067098

      SHA512

      f01f28eaa0eddba464c23fc4e256ac3655423d4a2b21aeef86fb62027e70680117eb0f02f378bcd182614a2e1cf8c03109b0846c2c27349b45f8dc41c26fdc11

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      074b982b59f5d3cd454af59247ad8169

      SHA1

      ff3d2022b53c1adf6acb670737240a875dffb256

      SHA256

      8494d6a3f4a7e580d10226fc1ba5e28e87c9ecd658f8825aece80c7face3dac8

      SHA512

      d571af3cb49747e98d88dbbd6a3a24609f093f822cd93a9ead6f572aa6da897cd70a4b243c2a86df768a8f5a4f0877e37116605052908f5e23b84339ca5af8a0

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d23c537b3f6f55753e521048d8868fff

      SHA1

      bdbb759a2b0c3e3d64a99cede816eb62abc658be

      SHA256

      c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303

      SHA512

      ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      dc9ce3db319142d81bbcb64a9450a06a

      SHA1

      2d4f8bce2e8949a575599348d33ff872608f9660

      SHA256

      4d298bca593ebdc8457ae3d53562e34ecd11faf0d7b8956b07ed06f6abf2488c

      SHA512

      6d6609af159763ffc0fea2be6ef63894cd4b95d1ff9a1ed8475b7b938e4aea01bebd92339016d2b60c658a6de5c21158c95b6f67bda180c458187179c0a5527d

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      461758c695e6084836ab6bad73de76fe

      SHA1

      d066aa11e6dbcf381d5ebbed1986f6cb6984f29d

      SHA256

      d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3

      SHA512

      27d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      ca7f5a4004f9e0855445df86b1f51a90

      SHA1

      4080c24e87c55440ec4d3c9b94e54f77702233bb

      SHA256

      f9af7c03699c04662b628d1851ec7cd981f2a1d35282d522ece4cd9bf4f884c1

      SHA512

      ca668d38f3b76924d3c76fa8e7feb520b9523efb8348f60f5774295c73e3b71c3a7f548eaef3e2236f512efe85f0b71acebe9ef282da0deb20c92ac18d033cf6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      e1c17d2a61355a70a67876a1857e719f

      SHA1

      8ef8d49008bb6f838227dda6e823e935e2f5301a

      SHA256

      ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b

      SHA512

      ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      e94da00e3827c889f4479c340612c0f1

      SHA1

      9bfcc3080300a8a0d8da57f72ad7c03880634949

      SHA256

      2da63916206c28bce6c71d73fdc8cc5cf3206b07d76b114c03d6ed4d5b88a604

      SHA512

      65109182a1719505e78d8c1351081b573f6f52f4272970d99c27117ce077991a0a675de21056b64806bf009d8ff50f6ce57396bb6c083dddbd7aafc76b93fb03

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      f9927255bf09fb75aee1261d51a74e24

      SHA1

      ae60b78b87f5f007ac0aa2579dffb8b7249a8f91

      SHA256

      a40cc19da6e80c6402b5f5cc91c372547d39d4a0cf1d3750d6fee73948155b24

      SHA512

      63bf9aa23964ba8050193a4ba8d052e4f829eb0278cd4d365fa09df5c8777f8a251939d5811ac01ab308b4d6259d3b8c36d99c24a204243deb18a6a106f2395a

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      3fe9727de3006525b31b42a305601c43

      SHA1

      6399bcd13d19f68c89f2e2d97bbe4a53af125474

      SHA256

      7f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794

      SHA512

      a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      57aa49514f026cca6b3c7d60e371e6ca

      SHA1

      858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4

      SHA256

      a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0

      SHA512

      dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      6f2f6ac6e2f74ef8a5cfb4ea068f4c5a

      SHA1

      8c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2

      SHA256

      974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f

      SHA512

      92619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      04c075218a6190a3504974c4af8f46c1

      SHA1

      8c92c808575089d161b7b67f3fe5058ec826a8da

      SHA256

      66a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136

      SHA512

      4423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b

    • C:\Users\Admin\AppData\Roaming\logs.dat
      Filesize

      15B

      MD5

      e21bd9604efe8ee9b59dc7605b927a2a

      SHA1

      3240ecc5ee459214344a1baac5c2a74046491104

      SHA256

      51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

      SHA512

      42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

    • C:\Windows\SysWOW64\Win32\services.exe
      Filesize

      276KB

      MD5

      f95d0beafe5a035fb1cd6073ae4a76ae

      SHA1

      5969347c5b1f4156091b54edc834c997054cef82

      SHA256

      c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8

      SHA512

      3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0

    • memory/676-249-0x00000000000E0000-0x00000000000E1000-memory.dmp
      Filesize

      4KB

    • memory/676-307-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

    • memory/676-543-0x0000000024080000-0x00000000240E2000-memory.dmp
      Filesize

      392KB

    • memory/676-871-0x0000000024080000-0x00000000240E2000-memory.dmp
      Filesize

      392KB

    • memory/1372-4-0x0000000002A10000-0x0000000002A11000-memory.dmp
      Filesize

      4KB

    • memory/2512-847-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

    • memory/2512-0-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

    • memory/2512-562-0x0000000000460000-0x00000000004B7000-memory.dmp
      Filesize

      348KB

    • memory/2784-563-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

    • memory/2784-1547-0x00000000053C0000-0x0000000005417000-memory.dmp
      Filesize

      348KB

    • memory/2784-1397-0x00000000240F0000-0x0000000024152000-memory.dmp
      Filesize

      392KB

    • memory/2784-1712-0x0000000005410000-0x0000000005467000-memory.dmp
      Filesize

      348KB

    • memory/2784-866-0x00000000053C0000-0x0000000005417000-memory.dmp
      Filesize

      348KB

    • memory/2784-846-0x00000000240F0000-0x0000000024152000-memory.dmp
      Filesize

      392KB

    • memory/2880-870-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB